The paper shows that BIND 8 DNS queries are predictable – i.e. that the source UDP port and DNS transaction ID can be effectively predicted. A predictability algorithm is described that, in optimal conditions, provides a single guess for the “next” query (with probability between 43% and 25%, depending on the DNS traffic the server handles), thereby overcoming whatever protection offered by the transaction ID mechanism. This enables a much more effective DNS cache poisoning than the currently known attacks against BIND 8. The net effect is that pharming attacks are feasible against BIND 8 caching DNS servers, without the need to directly attack neither DNS servers nor clients (PCs). The results are applicable to all BIND 8 releases (as of BIND 8.2), when BIND (the named daemon) is in caching DNS server configuration. The latest BIND 9 (9.4.1-P1, 9.3.4-P1 and 9.2.8-P1) implements a very similar, but somewhat stronger algorithm than that used in BIND 8. As such, BIND 9 is only vulnerable to a theoretic attack against its algorithm. While not a feasible attack as-is, the existence of such attack and the potential for it to be later improved with further research makes BIND 9 insecure as well.
Amit Klein
July-August 2007
Download paper [1]
Links:
[1] http://www.trusteer.com/sites/default/files/BIND_8_DNS_Cache_Poisoning.pdf